The Microsoft-owed software developer platform, GitHub, has confirmed a third-party has gained unauthorized access to 3800 internal repositories.

The breach was detected on May 19 and likely comes from a “poisoned” Visual Studio Code (VS Code) extension found by the GitHub security team on an employee device, GitHub confirmed on social media.

VS Code is a free, open-source code editor developed by Microsoft. It is often used with GitHub Copilot, an AI coding assistant.

The breach was claimed by the TeamPCP hacking group. Posting on the Breached cybercrime forum, the group alleged they gained access to GitHub source code and "~4000 repos of private code" on the Breached cybercrime forum. TeamPCP is demanding at least $50,000 for the stolen data.

However, the threat group stated that this was “not a ransom” and that they were not interested in extorting GitHub.

They claimed that they would only sell the data to one buyer, were "not interested in under 50k" and that "the best offer will get it." They certified they would delete the stolen data once a buyer has been found, adding that it appeared their retirement was imminent.

They also warned that if no buyer was found, they would leak the data for free.

After confirming the breach, Github said it has now “contained” it.

“We removed the malicious extension version, isolated the endpoint and began incident response immediately. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first,” said GitHub.

“We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.”

The company also promised to publish a more detailed report once the investigation is complete.

TeamPCP: Cyber Extortion Via Open-Source Projects

TeamPCP is a cyber threat group that has rapidly gained notoriety for large‑scale software supply chain attacks, particularly against open-source ecosystems and security‑adjacent tools.

The group has repeatedly compromised widely used projects such as Aqua Security’s Trivy vulnerability scanner and Checkmarx’s KICS infrastructure-as-code analyzer via attacks on GitHub Actions and other software development components.

They then expanded the campaign into the Python Package Index (PyPI), where they directly compromised legitimate packages, including the LiteLLM AI Gateway client library and Telnyx’s official SDK, by publishing backdoored releases.

Beyond these direct compromises, they have also used PyPI typosquatting among other deceptive techniques to push credential-stealing malware to downstream users.

These attacks are designed to harvest sensitive information like cloud credentials, SSH keys, Kubernetes configurations and other software development secrets from many organizations.

TeamPCP has also reportedly started exploring ways to further monetize the secrets obtained through these campaigns and has formed explicit partnerships with extortion and ransomware actors, including Lapsus$ and the Vect ransomware group.

Public statements attributed to these groups describe an operational model in which TeamPCP provides initial access via compromised supply chain components, while Vect handles encryption and extortion, with BreachForums supplying a large operator base.

At the same time, a separate threat framework dubbed ‘PCPJack’ has emerged that specifically seeks out and removes TeamPCP artifacts from compromised environments before spreading laterally to steal additional cloud credentials, underscoring the scale and competitiveness of cloud-focused cybercrime that TeamPCP helped catalyze.